Use sandboxed-fs to limit filesystem access

Fixes: #673 PR-URL: #802
metarhia · Feb 10, 2018 · e980525 · e980525
1 parent 2f10dc0
commit e980525
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 5 deletions.
diff --git a/applications/example/www/examples/simple/fsAccess.json/get.js b/applications/example/www/examples/simple/fsAccess.json/get.js
@@ -1,5 +1,5 @@
 (client, callback) => {
-  const filePath = application.dir + '/www' + client.path + '/test.txt';
+  const filePath = '/www' + client.path + '/test.txt';
   api.fs.readFile(filePath, 'utf8', (error, data) => {
     callback({ fileContent: data, dataLength: data.length });
   });

diff --git a/lib/api.registry.js b/lib/api.registry.js
@@ -173,6 +173,7 @@ api.registry.require = (
 api.registry.load = () => {
 
   api.common = require('metarhia-common');
+  api.sandboxedFs = require('sandboxed-fs');
   api.json = JSON;
 
   let moduleName, moduleData;

diff --git a/lib/impress.application.js b/lib/impress.application.js
@@ -257,6 +257,9 @@ impress.application.mixin = (application) => {
         moduleName = apis[j];
         moduleLink = api[moduleName];
         if (!moduleLink) moduleLink = api.registry.require(moduleName);
+        if (moduleName === 'fs') {
+          moduleLink = api.sandboxedFs.bind(application.dir);
+        }
         moduleName = api.common.spinalToCamel(moduleName);
         if (moduleLink) application.sandbox.api[moduleName] = moduleLink;
       }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -63,7 +63,7 @@
     "mkdirp": "^0.5.1",
     "multiparty": "^4.1.3",
     "ncp": "^2.0.0",
-    "sandboxed-fs": "^0.1.0",
+    "sandboxed-fs": "^0.3.0",
     "uglify-js": "^3.3.8",
     "websocket": "^1.0.25",
     "zip-stream": "^1.2.0"